Industry is seeing a high number of phishing emails these days, which resulted in high adoption of DMARC.
DMARC was introduced to combat from header spoofing and depends on SPF and DKIM for decision making. We will talk about spf record here and what is the best practice.
- You must have a spf record for your HELO/EHLO Domain.
- You must have a spf record for mail-from domain.
- For an empty Return-Path as used in error messages and other auto-replies, an SPF check of the HELO identity is mandatory.
Here is the sample spf record of one of the IP/Hostname of facebook, everyone should be followuing this menthod to correctly have spf record for their MTA and it will help them to have spf pass for bounce email as well.
As per RFC https://tools.ietf.org/html/rfc7208, Bounce messages must have spf record for their ehlo/helo domain.
and ehlo/helo domain looks like this in email headers, Also This is configurable on your MTA Servers.
Publish spf record like below they way facebook.com has done :-
- TXT Record lookup of facebook.com returned these entries, One of the IP was 220.127.116.11.
- 18.104.22.168 had rdns of 66-220-144-128.mail-mail.facebook.com
- 66-220-144-128.mail-mail.facebook.com has txt record of v=spf1 a ~all
Either of above option will fix dmarc issue as well and make spf record aligned.
Thank you for reading !